Is SharePoint HIPAA Compliant?

SharePoint is a web-based document management and storage system. It is one of the top collaborative platforms and is utilized by 78% of Fortune 500 companies. Can the healthcare industry also use SharePoint in association with protected health information (PHI)? Does it support HIPAA compliance?

The SharePoint platform is based on Microsoft’s OpenXML document standard, hence it works with Microsoft Office seamlessly. It also has most of the functions that Google Drive and Dropbox offer, both of which can be considered HIPAA compliant provided certain conditions are satisfied. SharePoint, however, is much more powerful as it can be used for intranet sites, internet portals and as a basis for a CRM system. With its extensive range of functions, SharePoint is obviously a good match for healthcare companies, but does the platform have all the required functions and security controls that HIPAA requires?

The first consideration in deciding the viability of a platform for use in healthcare in the U.S. is if the service provider will sign a business associate agreement (BAA) with a HIPAA covered entity or its business associates. If there’s no BAA, an entity cannot use the platform with any protected health information (PHI).

Microsoft is ready to sign a BAA with HIPAA covered entities for Yammer and Office. As for SharePoint, Microsoft mentioned on its official website that SharePoint Online is HIPAA compliant and can be used with Office 365 Enterprise as its BAA for Office 365 Enterprise also covers SharePoint Online.

Can we consider SharePoint HIPAA compliant? Although no software platform is truly HIPAA compliant, SharePoint possesses the required administrative and technical controls to satisfy HIPAA Rules. So, HIPAA covered entities can utilize the SharePoint in a way that complies with HIPAA.

Microsoft will likewise make certain that it fulfills its obligations as a business associate. However, it is the users’ responsibility to follow HIPAA Rules. The platform must be configured appropriately and individual access controls and audit controls must be set. Logs need to be monitored and proper security controls need to be configured. Users also need training on the proper use of the platform and must be made aware of the restrictions of HIPAA.

As long as there is a BAA and the platform is set up and used properly, SharePoint may be regarded as a HIPAA compliant platform for document management, storage and collaboration.